Schools, colleges and universities all increasingly gather and process both personal and confidential information about their staff, students, and members of the general public. Such organisations are confronted by the same worrying scenario as many others across the public sector in that, in order to operate within the specific boundaries during a fiscal squeeze, they are incentivised to overlook the seemingly indiscernible risk of a data breach. Ironic that the value of such data is ever-increasing, but the budget to protect it is lagging far behind.
The sad fact is that a strategic and proactive approach to good data management practice is rare to find among today’s harried public sector IT managers. It’s reactive at best, often focusing on the ‘noisiest’/most publicised threats first.
As the number of cyber-attacks continues to rise, the existing atmosphere of apathy and inaction will no longer be accepted by authorities
Clearly the powers that be have decided that using ‘the stick’ is the best approach – fining organisations who are in breach of their rules. As the number of cyber-attacks continues to rise, the existing atmosphere of apathy and inaction will no longer be accepted by authorities. Should an institution not satisfy the requirements of the Data Protection Act (DPA), they may face fines of up to £500,000. On top of which, the GDPR will soon come into effect, which involves an even more stringent set of mandates.
Below are seven key measures which educational institutions will need to implement in order to ensure that they are compliant with the DPA (and start on the journey to good data management practices!):
1. Appoint a Data Protection Officer
A DPO will be responsible and accountable for all data protection issues within the institution. They should be referred to in the institution’s data protection policy, as they will be required to deal with security-related enquires from staff members. The DPO is also responsible for training staff, investigating suspicious activity, and keeping up-to-speed with industry practices.
2. Training, policies and procedures
It’s very important that staff members are sufficiently trained to comply with the DPA, as failure to do so could be costly. Each staff member should have a clear understanding about data protection issues, and the measures that should be taken to mitigate the risks of a potential breach. Staff members should attend at least one training course per year, which should outline the compliance protocols of the institution. Staff members should also be made aware that they may be personally liable for any breaches of the DPA. Staff members must have access to an up-to-date data protection policy, which they can use as a reference if they are unsure about the correct protocol in a given scenario.
3. Working from home and BYOD
BYOD (Bring Your Own Device) is an increasingly popular trend, whereby organisations allow their staff members to use their own personal devices, such as laptops, tablets or mobile phones, in the workplace. However, there are a number of security risks associated with this initiative, as institutions have less control over how these devices are managed. In such an environment, it is a good idea to use secure remote access software as opposed to allowing staff members to access their own personal email accounts and cloud facilities. Likewise, installing device management software on any devices used for accessing the institution’s data will help minimise the risk of a security breach.
4. Marketing, privacy and consent
Should an institution choose to use personal information, such as students’ email addresses, as a tool for their marketing campaigns and promotions, it is important that they have consent from their subjects before doing so. Likewise, if an institution were to purchase data, such as mailing lists, they must ensure that the subjects involved have been informed about how their personal information will be used, and have given their consent. Obtaining such authorisation is usually done via a ‘privacy notice’, which the data subject should read and agree to.
5. Subject access requests (SAR’s)
Under the Data Protection Act, data subjects have the right to request any personal information that is held by any organisation or institution. It’s important to note that SAR’s may also include private emails, which may contain delicate personal information.
6. Cyber insurance
It is important that an institution’s insurance policy is setup to cover potential data breaches, as the fines associated with such breaches can be very high. Insurance companies now offer ‘cyber insurance’, which is designed to cover cyber-attacks and data theft.
7. Audit! Audit! Audit!
The need for a suite of sophisticated auditing tools is perhaps the most overlooked measure of ensuring the security of your sensitive data.
It is crucial that you have a fast and efficient means of finding out where your sensitive data is located, who has access to what data, and when that data is accessed. You will also need a swift and intuitive means of reporting changes to the files and folders on your system. Such systems are readily available inexpensively in the market often with intuitive UIs, powerful reporting, and user-configurable alerting abilities.
Good data management is a lot more than ticking a few boxes and undergoing a bit of training
Good data management is a lot more than ticking a few boxes and undergoing a bit of training – or taking steps just ‘to be compliant’. By taking a proactive approach and identifying who has access to your critical data, in the event of a real threat, you have the ability to shut it down effectively and protect your valuable data.
Aidan Simister is CEO of Lepide.